Forum Discussion
sandipkakade
Nimbostratus
Nimbostratuskerberos authentication on the F5 APM not working
Hi Team,
Need your help to configure F5 APM policy to work for Kerberos authentication.
Authentication flow like this :
- First SAML authentication will happen with AZ
- Then it will go for MFA
- After that traffic will go to on prem AD server and then to the application
But at last , we are again getting login prompt for login in application that we dont want ..Kerbose authentication will handle this and without user and password will login in the application.
So what should be F5 APM policy config
sandipkakadeSAML and AD query is working fine ..again last end we are getting prompt for login in the application ..that will happen automatically with kerbose
- Lucas_Thompson
Employee
Good to hear it's mostly working fine. Because you're using a federated login type, APM does not obtain the user's password in the flow. This means that you need to use federated SSO.
To avoid login prompts, you'll have to choose between:
1- Make sure all clients are domain-joined and domain-logged-in and have your AD Web sites in "Trusted Sites" so that the client's browsers will automatically present kerberos tickets to servers when challenged. This type of setup does not require any APM config at all because it's 100% handled by Windows. I'm fairly sure Mac clients won't work this way.
2- Use Kerberos S4U. In this mode, APM will automatically negotiate federated logins for each logged-in user based on the service account. This is a VERY common usage of APM.
How to set up S4U / Constrained Delegation:
https://my.f5.com/manage/s/article/K43063049
Troubleshooting S4U / Constrained Delegation:
